0

I am creating an Azure VM running Linux programmatically via azure java sdk and I am looking to encrypt the drives. OS drives provide a nifty .withOSDiskEncryptionSettings method. But I am not seeing anything in the data disk documentation for that.

I do know that Azure does encrypt these drives at rest with their own keys, but I do have a requirement to be able to encrypt with my own keys.

So my question is this - what is the encryption pattern for Azure VM data disks when managing them programmatically.

Tim Zhukov-Khovanskiy
  • 500
  • 1
  • 9
  • 28
  • Encryption for Windows VMs in Azure relies on Bitlocker. https://learn.microsoft.com/en-us/azure/virtual-machines/windows/disk-encryption-overview Start by reviewing microsoft documentation. – Daniel Björk Jan 08 '20 at 21:30
  • @DanielBjörk I'm sorry I forgot to mention these are Linux VMs – Tim Zhukov-Khovanskiy Jan 08 '20 at 21:31
  • Then check https://learn.microsoft.com/en-us/azure/virtual-machines/linux/disk-encryption-overview Linux VMs uses DM-Crypt, and is configured in the same way. I dont have a solution for you in Azure Java SDK but its very easy to do with powershell or CLI. – Daniel Björk Jan 08 '20 at 21:34
  • @DanielBjörk I have read that documentation. I could see using CLI as a workaround and encrypting data disks after the VM is created. It seems rather odd to have OS disk encryption available at VM definition stage via java sdk, but not have the same functionality for data disks. It feels rather clunky to do it that way though, unless there is a better pattern for data disks. – Tim Zhukov-Khovanskiy Jan 08 '20 at 21:37
  • Having a separate encryption step via CLI would introduce more complexity though, since if it fails I would need to rollback VM creation, since it's not created to spec. – Tim Zhukov-Khovanskiy Jan 08 '20 at 21:50
  • If you are still having questions, feel free to open an issue on https://github.com/Azure/azure-sdk-for-java – littlejedi Feb 29 '20 at 14:42

1 Answers1

0

I am sorry that the withOSDiskEncryptionSettings does not work as you wanted.

Actually, it will be used when you create a VM with an uploaded pre-encrypted OS disk. As it is a pre-encrypted disk, Azure will not be able to decrypt the data and the VM will not be able to start up. So, in this case, you need to tell Azure the disk encryption settings. For more details, you may refer to: Prepare a pre-encrypted Linux VHD and Specify a secret URL when you attach an OS disk

However, for a new-created Azure VM, currently, you should use disk encryption extension to enable disk encryption. And it is actually what you do from Azure portal, Azure CLI or Azure PowerShell. For example, with Azure PowerShell, you should run : Set-AzVMDiskEncryptionExtension -ResourceGroupName MyResourceGroup -VMName "MyVM" -DiskEncryptionKeyVaultUrl $KeyVault.VaultUri -DiskEncryptionKeyVaultId $KeyVault.ResourceId -SkipVmBackup -VolumeType All

So, basically, if you do want to enable disk encryption programmatically. You may use Azure Java SDK to add an extension to your VM. Here is a sample: ManageVirtualMachineExtension.java

Hope the information above would be helpful to you.

Jack Jia
  • 5,268
  • 1
  • 12
  • 14